diff --git a/src/user/uploads.js b/src/user/uploads.js
index 3bc9108f39..aa77df6e9d 100644
--- a/src/user/uploads.js
+++ b/src/user/uploads.js
@@ -18,14 +18,14 @@ module.exports = function (User) {
 			throw new Error('[[error:no-privileges]]');
 		}
 
-		if (uploadName.startsWith('.')) {
+		const finalPath = path.join(nconf.get('upload_path'), uploadName);
+		if (!finalPath.startsWith(nconf.get('upload_path'))) {
 			throw new Error('[[error:invalid-path]]');
 		}
-
 		winston.verbose('[user/deleteUpload] Deleting ' + uploadName);
 		await Promise.all([
-			file.delete(path.join(nconf.get('upload_path'), uploadName)),
-			file.delete(path.join(nconf.get('upload_path'), path.dirname(uploadName), path.basename(uploadName, path.extname(uploadName)) + '-resized' + path.extname(uploadName))),
+			file.delete(finalPath),
+			file.delete(file.appendToFileName(finalPath, '-resized')),
 		]);
 		await db.sortedSetRemove('uid:' + uid + ':uploads', uploadName);
 	};
diff --git a/test/uploads.js b/test/uploads.js
index 44ea53cdcd..ff303a20d3 100644
--- a/test/uploads.js
+++ b/test/uploads.js
@@ -48,9 +48,12 @@ describe('Upload Controllers', function () {
 			cid = results.category.cid;
 
 			topics.post({ uid: adminUid, title: 'test topic title', content: 'test topic content', cid: results.category.cid }, function (err, result) {
+				if (err) {
+					return done(err);
+				}
 				tid = result.topicData.tid;
 				pid = result.postData.pid;
-				done(err);
+				groups.join('administrators', adminUid, done);
 			});
 		});
 	});
@@ -107,6 +110,20 @@ describe('Upload Controllers', function () {
 			});
 		});
 
+		it('should not allow deleting if path is not correct', function (done) {
+			socketUser.deleteUpload({ uid: adminUid }, { uid: regularUid, name: '../../bkconfig.json' }, function (err) {
+				assert.equal(err.message, '[[error:invalid-path]]');
+				done();
+			});
+		});
+
+		it('should not allow deleting if path is not correct', function (done) {
+			socketUser.deleteUpload({ uid: adminUid }, { uid: regularUid, name: '/files/../../bkconfig.json' }, function (err) {
+				assert.equal(err.message, '[[error:invalid-path]]');
+				done();
+			});
+		});
+
 		it('should resize and upload an image to a post', function (done) {
 			var oldValue = meta.config.resizeImageWidth;
 			meta.config.resizeImageWidth = 10;
@@ -288,7 +305,7 @@ describe('Upload Controllers', function () {
 				assert.ifError(err);
 				jar = _jar;
 				csrf_token = _csrf_token;
-				groups.join('administrators', adminUid, done);
+				done();
 			});
 		});